CVE-2024-58060

In the Linux kernel, the following vulnerability has been resolved:

bpf: Reject structops registration that uses module ptr and the module btfid is missing

There is a UAF report in the bpfstructops when CONFIGMODULES=n. In particular, the report is on tcpcongestion_ops that has a "struct module *owner" member.

For structops that has a "struct module *owner" member, it can be extended either by the regular kernel module or by the bpfstructops. bpftrymoduleget() will be used to do the refcounting and different refcount is done based on the owner pointer. When CONFIGMODULES=n, the btfid of the "struct module" is missing:

WARN: resolve_btfids: unresolved symbol module

Thus, the bpftrymodule_get() cannot do the correct refcounting.

Not all subsystem's structops requires the "struct module *owner" member. e.g. the recent schedext_ops.

This patch is to disable bpfstructops registration if the structops has the "struct module *" member and the "struct module" btfid is missing. The btftypeis_fwd() helper is moved to the btf.h header file for this test.

This has happened since the beginning of bpfstructops which has gone through many changes. The Fixes tag is set to a recent commit that this patch can apply cleanly. Considering CONFIG_MODULES=n is not common and the age of the issue, targeting for bpf-next also.